-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security contact information #10
base: main
Are you sure you want to change the base?
Conversation
Add instructions for reporting security vulnerabilities
@@ -67,4 +67,6 @@ requested and approved by the OpenELA TSC on a per-individual basis. | |||
|
|||
## Contacting the OpenELA TSC | |||
|
|||
The TSC can be contacted via the email address: [[email protected]](mailto:[email protected]) | |||
The TSC can be contacted via the email address: [[email protected]](mailto:[email protected]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: missing dot at the end of the line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'll respin this PR without modifying that line
Please report security issues to the Technical Steering Committee. | ||
https://github.com/openela/governance/tree/main/TSC#contacting-the-openela-tsc | ||
|
||
We encourage the use of GPG encrypted email. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine. I wonder if we could simply use the GitHub builtin vulnerability reporting instead? Would allow collaboration on issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would probably work assuming the TSC gets notified. The one complication is that we'd be directing folks to use a specific repository (the issues repository, which doesn't exist yet) rather than allowing issues everywhere in openela-main, and that would prevent the private-issues-reporting tool from creating forks (since it'd be a different repository).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Git hub renders the security file if it's all uppercase in the name, so 'SECURITY.md`. would you please rename it that way?
I'm going to hold off on this for now. Dirk is right that native github vulnerability handling is better than emailing the TSC, however those issues should go into the not-yet-created catchall project we're going to have for filing and responding to issues, so we can pick this back up once that repository is available. |
No description provided.